An internet authorization scheme using smart-card-based security kernels

(1)

I. Attali and T. Jensen (Eds.): E-smart 2001, LNCS 2140, pp. 71-82, 2001.

 Springer-Verlag Berlin Heidelberg 2001

An Internet Authorization Scheme Using Smart-Card-Based Security Kernels

Yves Deswarte, Noreddine Abghour, Vincent Nicomette, and David Powell LAAS-CNRS,

7 avenue du Colonel Roche, 31077 Toulouse Cedex 4, France

{Yves.Deswarte,Noreddine.Abghour,Vincent.Nicomette,David.Powell}@laas.fr

Abstract. This paper presents an authorization scheme for applications

distributed on the Internet with two levels of access control: a global level, implemented through a fault- and intrusion-tolerant authorization server, and a local level implemented as a security kernel located on both the local host Java Virtual Machine (JVM) and on a Java Card connected to this host.

1 Introduction

Today, most Internet applications are based on the client-server model. In this model, typically, the server distrusts clients, and grants each client access rights according to the client’s identity. This enables the server to record a lot of personal information about clients: identity, usual IP address, postal address, credit card number, purchase habits, etc. Such a model is thus necessarily privacy intrusive.

Moreover, the client-server model is not rich enough to cope with complex transactions involving more than two participants. For example, an electronic commerce transaction requires usually the cooperation of a customer, a merchant, a credit card company, a bank, a delivery company, etc. Each of these participants has different interests, and thus distrusts the other participants.

Within the MAFTIA

¹

project, we are developing authorization schemes that can grant to each participant fair rights, while distributing to each one only the information strictly needed to execute its own task, i.e., a proof that the task has to be executed and the parameters needed for this execution, without unnecessary information such as participant identities. These schemes are based on two levels of protection:

•

An authorization server is in charge of granting or denying rights for high-level operations involving several participants; if a high-level operation is authorized, the authorization server distributes capabilities for all the elementary operations that are needed to carry it out.

1 MAFTIA (Malicious- and Accidental-Fault Tolerance for Internet Applications) is a European project of the IST Program. MAFTIA partners are University of Newcastle upon Tyne (GB), prime contractor, DERA(GB), IBM Zurich Research Lab. (CH), LAAS-CNRS (F), University of Lisbon (P) and University of Saarland (D). See http://www.maftia.org/.

(2)

72 Yves Deswarte et al.

•

On each participating host, a security kernel is responsible for fine-grain authorization, i.e., for controlling the access to all local resources and objects according to the capabilities that accompany each request. To enforce hack- proofing of such security kernels on off-the-shelf computers connected to the Internet, critical parts of the security kernel will be implemented on a Java Card.

In the following sections, the general authorization architecture and the security kernel are described, and an illustrative example is presented. Finally, our approach is compared to related work.

2 General Authorization Architecture

In [Nicomette & Deswarte 1997], we proposed a generic authorization scheme for distributed object systems. In this scheme, an application can be viewed at two levels of abstraction: high-level operations and method executions. A high-level operation corresponds to the coordinated execution of several object methods towards a common goal. For instance, printing file F3 on printer P4 is a high-level operation involving the execution of a printfile method of the spooler object attached to P4, which itself has to request the execution of the readfile method of the file server object managing F3, etc.

A request to run a high-level operation is authorized or denied by an authorization server, according to symbolic rights stored in an access control matrix managed by the authorization server. More details on how the authorization server checks if a high- level operation is to be granted or denied are given in [Nicomette & Deswarte 1996]

and [Abghour et al. 2001]. If the request is authorized, capabilities are created by the authorization server for all the method executions needed to realize the high-level operation. These capabilities are simple method capabilities if they are used directly by the object requesting the execution of the high-level operation, i.e., used by this object to directly call another object’s methods. Alternatively, the capabilities may be indirect capabilities or vouchers, if they cannot be used by the calling object but must be delegated to another object that, itself, will invoke other object methods to participate in the high-level operation. In fact, the notion of high-level operation is recursive, and a voucher can contain either a method capability or the right to execute a high-level operation.

This delegation scheme is more flexible than the usual “proxy” scheme, by which an object transmits to another object some of its access rights for this delegated object to execute operations on behalf of the delegating object. Our scheme is also closer to the

“least privilege principle”, since it helps to reduce the privileges needed for performing delegated operations. For instance, if an object O is authorized to print a file, it has to delegate a read-right to the spooler object, for the spooler to read the file to be printed. To delegate this read-right, with the proxy scheme, O must possess this read-right; so O could misuse this right by making copies of the file and distributing them. In this case, the read-right is a privilege much higher than a simple print-right.

An internet authorization scheme using smart-card-based security kernels